Risk Assessment Process

Somebody asked me if I’d put a bit more detail around some of the high level topics I cover in this blog. So I thought I’d talk a bit about the risk assessment processes that I follow.

There are a variety of ways of assessing risk. Most basic is an assessment made based on our own thoughts and opinions about the likelihood of something happening. So, for example, we can put our finger in the air and state “I think there’s a high risk associated with a zero day malware attack.” This sort of assessment is not very useful because it’s based on a single viewpoint with no consideration to scenarios around the risk, causes of the problem, susceptibility to the attack, or the costs involved. At the other end of the scale are the mathematical and statistical based methods used by the likes of financial institutions when working with various types of investment.

What we need is a method of assessing risk, that supports information security as a quick and easy tool for helping us to make decisions, and provides some level of assurance better than the finger-in-the-air method. Read on…

The first question is: what is risk? For our purposes a risk is a “bad outcome” comprising a threat (something that might happen which would result in the bad outcome), a vulnerability (the susceptability to the threat), and event costs (a total of the operational, revenue, and reputational cost impact of the bad outcome). The simplest way to work with these three factors is to rate them on a high\medium\low scale and apply a numeric value to each. We can get cleverer and use weighted averages based on how important we consider each of the factors to be relative to each other but for the sake of simplicity we’ll scoot over that side of things for now.

First, here’s an important bit: if event costs, or threat, or vulnerability are rated as zero then you have no risk. Ignore it and move on.

Let’s take a simple example and assess the risk associated with having a weak password policy associated with a particular web site.. Let’s say, for the sake of this example, that the website in question allows customers access to personal information that, if compromised, could be used to commt identity fraud.

Step 1. Define the scenario for the bad outcome. So, in this case we might express one possible scenario as “user credentials are guessed and unauthorised access gained to confidential data”

Step 2. Define the threat level. There is definately some level of threat here that we should define. We know that websites are regularly probed for weaknesses and we know that weak passwords can be fairly easily compromised. If this is a high profile web site then I might rate the threat as High.

Step 3. Define the vulnerability level. This depends on a number of things that often vary between products. For instance, is there an account lock-out that might limit the number of attempts to log-in? Is there real-time monitoring in place that would identify password guessing attacks as they happen? You might decide that the actual level of vulnerability is fairly low if there are already lots of mitigating controls in place.

Step 3. Assess the event costs. How much would a successful attack cost your business? Remember that costs are not always tangible hard cash numbers: consider the impact on the organisations reputation and also opportunity costs.

Now, I’ve missed out one very important point. Do not attempt the above exercise in isolation. You will need an intimate knowledge of the issues and the products in order to make a valid assessment and it’s important that you do because in a dynamic environment with lots of different risks to consider, only by performing this exercise correctly will you be in a position to prioritise and plan for mitigating risks based on their relative impacts to your organisation.

I could break this whole process down further and drill deeper into how to get this process up and running, relate it back to your policy, and define the tools needed to help you do it. In my own day-to-day real-world, assessing risks using this process is part of standard procedures. The challenge is then in the communication of risks and ensuring that mitigating measures are commensurate with loss impact and the needs of the business.

I’ve been hunting around for some good links and references to add to this but there is a real lack of what I think are good resources available. If you know of some then pass it on.